I'm tweaking a site that has been using FB authentication and access tokens for awhile to deal with the deprecation of offline_access, and, in particular, doing the fb_exchange_token thing to get extended-duration tokens for the site's users. It seems to be working, but I've got some questions. My basic approach is:

• I get the user logged in through the usual server-side back-and-forth procedure, finally giving me a valid access token for the user. This works fine, and appears to be valid for 5300 seconds or so, like the standard/original tokens.

• I then immediately do the fb_exchange_token call; this succeeds and gives me a new access_token that's good for a couple of months. This is the token that my site saves away for future use when it does things on behalf of the user.

This makes sense, right? It seems a little redundant to make one call right after another, but it's getting me the extended-lifespan token, which is what I want. I suppose I could use the original token for as long as it lasts and not bother with the exchange until the original token expires, but (a) it seems like I might as well get and use the extended one from the start and (b) it's not clear to me that an expired token can be exchanged for a extended-duration token.

So: Does anyone see any problems with this approach? Thanks!

• facebook
• authentication
• facebook-authentication

a) Yes, that approach works well. I do that with some of my apps.

b) Please see the 3rd item in this FAQ. http://dominicminicoopers.blogspot.com/2012/03/facebook-access-tokens-and-offline.html

Can I exchange my 60 day access token for a new 60 day access token?

No, sorry you cannot. You can only exchange a valid (meaning current) user access token for an extended one. You cannot extend an already extended access token.

I've noticed today that for the token to actually be extended you have to disable the offline_token within your application settings. I was trying all day with this setting still enabled and I was only getting standard 2 hour tokens, the moment I disabled it, and tried again (after re-authenticating with FB) I got given a 2 month token. Hopes this saves people time (the documentation isn't very clear at all haha).

Why not just do something like this (much cleaner than doing all those explodes)?

$response = $this->facebook->api('/oauth/access_token', 'GET', array(
    'grant_type' => 'fb_exchange_token',
    'client_id' => $app_id,
    'client_secret' => $app_secret,
    'fb_exchange_token' => $access_token
));
parse_str($response, $output_array);
$long_lived_access_token = $output_array['access_token'];
$expires = $output_array['expires'];

Is this still working for people as of April 10th? I noticed yesterday our original tokens stopped being good for 60 days and so I implemented the fb_exchange_token call. But the response I get back is still only good for around 2 hours.. ie this:

access_token=AAAEHLUxxx...xx&expires=4404

I've been using the Android SDK to get the tokens, and my app has deprecated the offline_access permission. It was working good for about a week, all tokens used to last for 60 days.

$url = "https://graph.facebook.com/oauth/access_token?client_id=$client_id&client_secret=$client_secret&grant_type=fb_exchange_token&fb_exchange_token=$fb_access_token";
$graph = file_get_contents($url);
$graph = explode("=", $graph);
$graph = explode("&", $graph[1]);
$new_access_token = $graph[0];